vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 23:50:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): enforce bounded webhook body handling

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-13 19:14:36 +01:00
parent 2f9c523bbe
commit 3cbcba10cf
20 changed files with 834 additions and 281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
extensions/msteams/src/monitor.ts
View File

@@ -1,5 +1,6 @@
import type { Request, Response } from "express";
import {
DEFAULT_WEBHOOK_MAX_BODY_BYTES,
mergeAllowlist,
summarizeMapping,
type OpenClawConfig,
@@ -32,6 +33,8 @@ export type MonitorMSTeamsResult = {
shutdown: () => Promise<void>;
};
const MSTEAMS_WEBHOOK_MAX_BODY_BYTES = DEFAULT_WEBHOOK_MAX_BODY_BYTES;
export async function monitorMSTeamsProvider(
opts: MonitorMSTeamsOpts,
): Promise<MonitorMSTeamsResult> {
@@ -239,7 +242,14 @@ export async function monitorMSTeamsProvider(
// Create Express server
const expressApp = express.default();
expressApp.use(express.json());
expressApp.use(express.json({ limit: MSTEAMS_WEBHOOK_MAX_BODY_BYTES }));
expressApp.use((err: unknown, _req: Request, res: Response, next: (err?: unknown) => void) => {
if (err && typeof err === "object" && "status" in err && err.status === 413) {
res.status(413).json({ error: "Payload too large" });
return;
}
next(err);
});
expressApp.use(authorizeJWT(authConfig));
// Set up the messages endpoint - use configured path and /api/messages as fallback